As a cluster admin, I want the image registry CA to be installed on HyperShift worker nodes via the Machine Config Operator, so that the image registry remains functional after the node-ca daemonset is removed.

Acceptance Criteria

• Test that image registry is functional on a HyperShift hosted cluster without the node-ca daemonset running
• Verify that the image registry CA is included in the MCO-generated ignition payload during cluster creation
• Test that new nodes joining the cluster receive the correct image registry CA via MCO
• Verify that pulling images from the internal registry works on all worker nodes
• Test that the service-ca operator runs on the control plane side and correctly generates the image registry CA

Engineering Details

• The image registry node-ca daemonset is being removed upstream (blocks IR-373, RFE-8702)
• HyperShift runs MCO only in bootstrap mode, so the CA must be passed when generating the ignition payload
• MCO PR enabling this has been merged: https://github.com/openshift/machine-config-operator/pull/3876
• The service-ca operator needs to be moved to the control plane side to generate the CA

Out of Scope

• Removal of the node-ca daemonset itself (tracked in IR-373)